The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained networks in the IoT (Internet of Things). The protocol is designed for machine-to-machine (M2M) applications such as smart energy and building automation.

Now most comprehensive assumptions are taken by researchers and advanced technology programs that this CoAP will be the most predictable pathway for DDos attacks in near future which was approved in 2014 and largly used this year.

Scope of CoAP

CoAP was designed as a lightweight machine-to-machine (M2M) protocol that can run on smart devices (like Mobile) where memory and computing resources are scarce. CoAP is a complete service layer protocol that is intended for use in resource-constrained internet devices, such as wireless sensor network nodes. Just like HTTP is used to transport data and commands (GET, POST, CONNECT, etc.) between a client and a server, CoAP also allows the same multicast and command transmission features. It is very similar to HTTP, but instead of working on top of TCP packets, it works on top of UDP, a lighter data transfer format created as a TCP alternative.

CoAP service layer is designed to easily translate to HTTP for simplified integration with the web, while also meeting specialized requirements such as multicast support, very low overhead, and simplicity. Multicast, low overhead, and simplicity are extremely important for Internet of Things (IoT) and Machine-to-Machine (M2M) devices, which tend to be deeply embedded and have much less memory and power supply than traditional internet devices have. Therefore, efficiency is very important. CoAP can run on most devices that support UDP or a UDP analogue.

But just like any other UDP-based protocol, CoAP is inherently susceptible to IP address spoofing and packet amplification, the two major factors that enable the acceleration of a DDoS attack. An attacker can send a small UDP packet to a CoAP client (an IoT device), and the client would respond with a much larger packet with larger response message. In the world of DDoS attacks, the size of this packet response is known as an amplification factor, and for CoAP, this can range from 10 to 50, depending on the initial packet and the resulting response (and the protocol analysis you're reading). Furthermore, because CoAP is vulnerable to IP spoofing, attackers can replace the "sender IP address" with the IP address of a victim they want to launch a DDoS attack against, and that victim would receive the blunt force of the amplified CoAP traffic. The people who designed CoAP added security features to prevent these types of issues, but as Cloudflare pointed out in a blog post last year, if device makers implement these CoAP security features, the CoAP protocol isn't so light anymore, negating all the benefits of a lightweight protocol.

That's why most of today's CoAP implementations dropped using hardened security modes for a "NoSec" security mode that keeps the protocol light, and is also vulnerable to DDoS abuse.

Performance and high adoption of CoAP in IoT

Because CoAP is a new protocol, a few hundreds of vulnerable devices here and there would have never been a problem, even if all were running in NoSec modes. Unfortunately, things started to change.

According to a talk that Dennis Rand, founder of eCrimeLabs gave at the RVAsec security conference, the number of CoAP devices has exploded since November 2017. Rand says the CoAP device count jumped from a lowly 6,500 in November 2017 to over 26,000 the next month. Things got even worse in 2018 because by May that number was at 278,000 devices, a number that today is hovering at 580,000-600,000, according to Shodan, a search engine for Internet-connected devices. Rand suggests the reason for this explosion is CoAP's use as part of QLC Chain (formerly known as QLink), a project that aims build a decentralized blockchain-based mobile network using WiFi nodes available across China.

But this sudden rise in readily available and poorly secured CoAP clients hasn't gone unnoticed. Over the past few weeks, the first DDoS attacks carried out via CoAP have started to leave their mark.

A security researcher who deals with DDoS attacks published a report that CoAP attacks have happened on an occasional basis over the past months, with increasing frequency, reaching 55Gbps on average, and with the largest one clocking at 320Gbps.

The 55Gbps average is an order of magnitude superior to the average size of a normal DDoS attack, which is 4.6Gbps, according to DDoS mitigation firm Link11.

Of the attacks the researcher has recorded, most have targeted various online services in China, but also some MMORPGs platforms outside of mainland China. It is unclear if CoAP has been added as an attack option to DDoS-for-hire platforms, once this happens whether such attacks will intensify even more.

Furthermore, CoAP's use in the real world has exploded this year and was not mainly restricted to China. It is safe to assume that once CoAP has already become popular in China, today's main manufacturing hub, vulnerable devices will also spread to other countries as devices made in the communist state are sold overseas.

A red-flag to the Hot & M2M Platform

Just like the case with most protocols developed with IoT in mind, the issue doesn't seem to reside in the protocol design, which includes some basic security features, but in how device makers are configuring and shipping CoAP in live devices. Many protocols are often misconfigured, by accident or intentionally, by device makers, which often choose interoperability and ease of use over security.

However the factor that can annoy some safety researchers is that some predicted this might occur even sooner how CoAP used to be authorized as an respectable Web usual, long ago in 2013.

This used to be an unconditionally avoidable crisis if handiest international locations all over the world had extra stringent regulations about IoT units and their security measures.

The similar analysis additionally checked out a fellow M2M protocol, MQTT, additionally recognized to be a large number, and through which the researcher has recognized a number of vulnerabilities.